Jak w tytule; prawie wszystko udało sie naprawić (w robocie był ComboFix, FlashDisk Disinfector) ale:
-
np przy próbie uruchomienia płyty z PC world “nie jest prawidłową aplikacją systemu Win32”
-
błąd odmowy dostępu przy msconfig
-
jeszcze trochę wolny, mimo użycia Ashampoo i CCleaner
-
Avira wykrył ostatnio crypt Xpack.Gen oraz Xema.A
logi z ComboFix i Hijack (a propos - E: to DVD, zapomniałem wyjąć wcześniej wspomnianą płytkę)
ComboFix 08-11-13.02 - M i S 2008-11-15 19:11:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.65 [GMT 1:00]
Uruchomiony z: c:\documents and settings\M i S\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\autorun.inf . . . . nie udało się usunąć
.
((((((((((((((((((((((((( Pliki utworzone od 2008-10-15 do 2008-11-15 )))))))))))))))))))))))))))))))
.
2008-11-15 18:16 . 2008-11-15 18:16
2008-11-15 16:07 . 2008-11-15 16:07
2008-11-14 22:19 . 2008-11-14 22:24
2008-11-14 22:19 . 2008-11-14 22:19
2008-11-14 20:47 . 2008-11-14 20:47
2008-11-14 20:47 . 2008-11-14 20:47
2008-11-14 14:48 . 2008-10-24 12:21 455,296 -----c— c:\windows\system32\dllcache\mrxsmb.sys
2008-11-14 14:47 . 2008-09-04 18:17 1,106,944 -----c— c:\windows\system32\dllcache\msxml3.dll
2008-11-07 17:08 . 2008-11-07 17:08
2008-11-07 17:08 . 2008-11-07 17:08
2008-11-07 17:08 . 2008-11-07 17:08
2008-11-07 17:08 . 2008-11-07 17:08
2008-11-07 17:06 . 2008-11-07 17:08
2008-11-07 16:59 . 2008-11-07 16:59
2008-11-07 16:32 . 2008-11-07 16:32
2008-11-06 21:39 . 2008-11-15 16:02
2008-11-06 20:26 . 2008-11-06 20:26
2008-11-06 20:26 . 2008-11-06 20:26
2008-11-06 13:41 . 2008-11-06 13:41
2008-11-06 13:15 . 2008-11-07 16:28
2008-11-06 13:15 . 2008-11-14 22:21
2008-11-06 12:47 . 2008-11-13 02:20
2008-11-06 12:33 . 2008-11-06 12:33
2008-11-06 01:36 . 2008-11-06 01:36
2008-11-06 01:11 . 2008-11-06 01:11
2008-11-06 01:11 . 2008-11-15 16:02
2008-11-06 01:11 . 2008-11-06 01:13
2008-11-04 18:45 . 2008-11-07 09:13 69 --a------ c:\windows\NeroDigital.ini
2008-10-26 12:34 . 2005-06-10 14:29 2,920,448 --------- c:\windows\NuNinst.exe
2008-10-26 12:34 . 2004-07-26 17:16 1,568,768 --------- c:\windows\system32\ImagX7.dll
2008-10-26 12:34 . 2004-07-26 17:16 476,320 --------- c:\windows\system32\ImagXpr7.dll
2008-10-26 12:34 . 2004-07-26 17:16 471,040 --------- c:\windows\system32\ImagXRA7.dll
2008-10-26 12:34 . 2004-07-26 17:16 262,144 --------- c:\windows\system32\ImagXR7.dll
2008-10-26 12:34 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
2008-10-26 12:34 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
2008-10-26 12:34 . 2005-06-17 17:08 59,483 --------- c:\windows\NuNinst.cfg
2008-10-26 12:33 . 2008-10-26 12:33
2008-10-26 12:33 . 2008-10-26 12:34
2008-10-26 12:33 . 2008-10-26 12:34
2008-10-26 12:33 . 2005-06-10 17:12 99,584 --------- c:\windows\system32\drivers\InCDfs.sys
2008-10-26 12:33 . 2005-06-10 17:11 29,696 --------- c:\windows\system32\drivers\InCDpass.sys
2008-10-26 12:33 . 2005-06-10 15:11 28,160 --------- c:\windows\system32\drivers\InCDrm.sys
2008-10-26 12:33 . 2003-12-05 10:46 10,368 --------- c:\windows\system32\drivers\pfc.sys
2008-10-26 12:33 . 2005-06-10 17:12 8,704 --------- c:\windows\system32\drivers\InCDrec.sys
2008-10-26 12:31 . 2008-10-26 12:32
2008-10-26 12:31 . 2005-03-31 22:17 40,960 --a------ c:\program files\Uninstall_CDS.exe
2008-10-23 20:40 . 2008-10-15 17:36 337,408 -----c— c:\windows\system32\dllcache\netapi32.dll
2008-10-19 13:21 . 2008-08-14 14:26 2,146,816 -----c— c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-19 13:21 . 2008-09-15 16:27 1,846,656 -----c— c:\windows\system32\dllcache\win32k.sys
2008-10-19 13:21 . 2008-09-08 11:41 333,824 -----c— c:\windows\system32\dllcache\srv.sys
2008-10-19 13:20 . 2008-08-14 14:26 2,190,464 -----c— c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-19 13:20 . 2008-08-14 14:26 2,067,328 -----c— c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-19 13:20 . 2008-08-14 14:26 2,025,472 -----c— c:\windows\system32\dllcache\ntkrpamp.exe
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 21:59 --------- d-----w c:\documents and settings\M i S\Dane aplikacji\OpenOffice.ux.pl2
2008-11-06 12:58 --------- d–h--w c:\program files\InstallShield Installation Information
2008-11-06 00:08 --------- d-----w c:\documents and settings\M i S\Dane aplikacji\Lavasoft
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 12:44 --------- d-----w c:\program files\Common Files\Adobe
2008-09-15 15:27 1,846,656 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:15 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:17 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:11 668,672 ----a-w c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Odkurzacz-MCD”=“d:\program files\Odkurzacz\odk_mcd.exe” [2007-05-03 264704]
“Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2008-03-20 2127296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avgnt”=“c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” [2008-06-12 266497]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoResolveTrack”= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.ffds”= ffdshow.ax
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
–a------ 2008-06-17 15:00 1249280 c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
–a------ 2008-06-18 13:31 1122816 c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 00:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“avast! Web Scanner”=3 (0x3)
“avast! Mail Scanner”=3 (0x3)
“avast! Antivirus”=2 (0x2)
“aswUpdSv”=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“Adobe Photo Downloader”=“c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
“ATIPTA”=“c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
“InCD”=c:\program files\Ahead\InCD\InCD.exe
“NeroFilterCheck”=c:\windows\system32\NeroCheck.exe
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” -atboottime
“SpyHunter Security Suite”=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
“avast!”=c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-14 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-06-14 20560]
S3 ATE_PROCMON;ATE_PROCMON;??\c:\program files\Anti Trojan Elite\ATEPMon.sys []
S3 MEMSWEEP2;MEMSWEEP2;??\c:\windows\system32\46.tmp []
.
.
------- Skan uzupełniający -------
.
FireFox -: Profile - c:\documents and settings\M i S\Dane aplikacji\Mozilla\Firefox\Profiles\2e9s4pu9.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 19:17:28
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
“ImagePath”="??\c:\windows\system32\46.tmp"
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Czas ukończenia: 2008-11-15 19:21:54 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2008-11-15 18:21:43
Przed: 28,574,904,320 bajtów wolnych
Po: 28,562,059,264 bajtów wolnych
160 — E O F — 2008-11-14 15:10:37
oraz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24, on 2008-11-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM…\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min
O4 - HKCU…\Run: [Odkurzacz-MCD] D:\Program Files\Odkurzacz\odk_mcd.exe
O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
–
End of file - 4980 bytes